On Tue, Oct 21, 2003 at 08:59:38PM -0700, Lars Eggert wrote:
> Jos Backus wrote:
> >If one has many (thousands) hosts/addresses that the same filter action
> >needs to be taken for, what would be the most efficient way to implement
> >this using, say, ipfw or ipfilter?
> You can generate a rule set based on matching increasingly specific
> subnets in combination with skipto, i.e. simulate a trie-like structure
> with the firewall. This can can get you down to O(log).
>
> It's not as automatic as you'd like though, probably.
Right. That would be one way of making the existing rule-based mechanism more
efficient, but it would presumably still be too slow and cumbersome to
maintain. However, Pyun YongHyeon pointed me to pf's table feature which looks
like it fits the ticket perfectly, so I'm going to investigate that.
Thanks Lars.
--
Jos Backus _/ _/_/_/ Sunnyvale, CA
_/ _/ _/
_/ _/_/_/
_/ _/ _/ _/
jos at catnook.com _/_/ _/_/_/ require 'std/disclaimer'
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
